Plugins are distributed without a license file

Question

Plugins are distributed without a license file

corneliusweig opened this issue 5 years ago · 15 comments

I realized that no plugin that I'm aware of actually installs a license file. That seems to violate the conditions of may licenses, for example the Apache license which states under 4.c)

You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and

Most of the times, the original authors submit their plugins to the index. Even then, we are most likely violating the license conditions. So what should we do about it? Options:

Require that plugin authors also copy over their license(s) in the files field of the manifest. This will require a lot of back and forth with plugin authors until all plugins are updated.
Add a new mandatory manifest field license which simply states what is the license of the plugin. This is simpler, but maybe not sufficient.

WDYT?

Answer 1 · 2019-11-10T21:47:46.000Z

Excellent point, I think you're right we should fix this.

To be precise, this is a "distribution" problem and not a problem with "krew" itself, at best, it's a krew-index issue.

Require that plugin authors also copy over their license(s) in the files field of the manifest. This will require a lot of back and forth with plugin authors until all plugins are updated.

Technically we could do this ourselves easily. It's not a bad idea.
Similarly we'd need to make it part of our review procedure for krew-index.

Add a new mandatory manifest field license which simply states what is the license of the plugin. This is simpler, but maybe not sufficient.

I think a new license field is not going to be the best idea. We actually need the full text. Also, some plugin in the future (such as "private plugins") won't need this field. Making it required will create friction.

I've been trying to recall what Homebrew does, because for many similar formulae (kubectx.rb, kubernetes-cli.rb, fzf.rb, ...) the file doesn't talk about the license.

I am suspecting Homebrew is copying certain files like LICENSE* COPYING* CHANGELOG* out of the repository root as an implicit step, but I cannot find docs on this behavior.

Answer 2 · 2019-11-10T21:53:41.000Z

It indeed seems like Brew is automatically copying out these files:
https://rubydoc.brew.sh/Metafiles.html
I can't easily read ruby code, but my guess is it's only picking these from the repository root, but in our case there's no such concept.
For example, in tag tarballs provided by GitHub (imagine bash plugins), the root level dir is technically 1-level nested, like kubectx-v0.7.1/LICENSE.

Answer 3 · 2019-11-11T23:56:48.000Z

I agree that this is mainly a krew-index problem. But it might need support from krew as well.

Technically we could do this ourselves easily. It's not a bad idea.

I'm not so sure about this. Doesn't this mean that we need to include the correct license file in every plugin bundle? Only repo owners have the right to do that though. And it will take a lot of back-and-forth until all plugins comply.

For that reason, I think a new license field in the manifest may be the better option. How exactly this field looks like and how it should behave remains to be discussed.

Answer 4 · 2019-11-12T00:08:56.000Z

Precisely, we need to get ahead of the growth here.
I feel like there will be some manual work involved. We should probably open a mega issue with all plugins and keep track of the fixes very soon.

For that reason, I think a new license field in the manifest may be the better option.

Yeah but LICENSE file is not really special. Similarly, they might have multiple licenses, dependency licenses, other files like {changelogs,authors}.txt that they might need to ship. I recommend we don't get into that business.

I'm currently -1 for introducing a new field, just for the license.

It's clear to me
(1) we need to work with repo authors, maybe even make PRs to them ourselves, and it'll be a team effort
(2) make this a requirement from now on (update docs, PR templates etc).

What I'm more unclear about is which one of these we should do:

copy certain files (license, copying, ...) from the archive (root, or maybe 1-level deep) automatically out to installDir
explicitly require every plugin to copy its LICENSE and similar files in files:.

Answer 5 · 2019-11-12T08:04:05.000Z

Ok, I get your point.

In that case, it looks like we could save our plugin authors some manual hassle if we go with the automatic copying option. If I'm not missing out anything, then this is our roadmap:

When installing new plugins, search for the license file by name and copy that out into $KREW_HOME/store. When no license can be found, the install should fail.
Make sure that a license file is included in all current plugins. This will be manual work and we should get involved with opening PRs in the original repos.
Add a validation step for manifests, that the bundle contains a license or LICENSE file (probably ignore case altogether).
Update the instructions for plugin submission. Also point out that it is the responsibility of plugin submitters to also include and copy out any other files like changelog.txt or authors.txt if this is necessary to comply with plugin licenses.

I'll create a google doc to organize our work around adding licenses to archive bundles. Please respond here if you want to get assigned a batch of plugins :)

Answer 6 · 2019-11-13T00:14:47.000Z

I created a sheet to track the plugin license status: https://docs.google.com/spreadsheets/d/1Q3enNf61muuVQw6eWLsMTfZJ67tbEpedKAH94MjbBjI/edit?usp=sharing

If you think the above plan sounds good, I'll create a few issues tomorrow.

Answer 7 · 2019-11-13T00:45:06.000Z

Oh, it's much better than I had anticipated. Exactly half of the plugins already contain a license file. There are LICENSE.md, LICENSE, and LICENSE.txt.

Answer 8 · 2019-11-13T01:05:39.000Z

I assume on that spreadsheet "included" means, it exists in the repo, right?

Answer 9 · 2019-11-13T17:26:40.000Z

@ahmetb Yes, that's correct.

Answer 10 · 2019-11-14T23:46:26.000Z

As discussed offline, we are going to handle this purely on krew-index side. This means that all plugins manifests must manually copy out their license file.

For those that already contain a license, we can do this without bothering the plugin authors. For all remaining ones, I opened an issue.

Answer 11 · 2019-11-15T04:05:43.000Z

/priority important-soon

Answer 12 · 2019-11-15T09:37:53.000Z

For the plugins that have a license in their archive but don't install the license, I opened the following PRs:

Install license for restart (#339)
Install license for who-can (#338)
Install license for config-cleanup (#337)
Install license for tail (#336)
Install license for cssh (#335)
Install license for konfig (#334)
Install license for view-secret (#333)
Install license for bulk-action (#332)
Install license for warp (#331)
Install license for iexec (#330)
Install license for gopass (#329)
Install license for sudo (#328)
Install license for outdated (#327)
Install license for preflight (#326)
Install license for support-bundle (#325)
Install license for sort-manifests (#324)
Install license for open-svc (#323)
Install license for view-serviceaccount-kubeconfig (#322)
Install license for prune-unused (#321)
Install license for exec-cronjob (#320)
Install license for custom-cols (#319)
Install license for ssh-jump (#318)

Answer 13 · 2019-11-15T20:54:08.000Z

Thanks @corneliusweig. I've bulk merged them by applying lgtm label.

Answer 14 · 2019-11-15T20:54:53.000Z

For the remaining, feel free to add a - [ ] checklist list to your original issue message (or open a new issue for tracking what's left)

Answer 15 · 2019-11-15T23:32:40.000Z

Follow-up issue is #341